Fix memory leaks and wrong memory access

1. In wpa_config_process_bgscan() fix memory leak after calling wpa_config_parse_string() 2. In hostapd_config_defaults(), on failure to allocate bss->radius, conf->bss was not freed. 3. In p2p_deauth_nofif(), memory allocated in p2p_parse_ies() was not freed in case of NULL minor_reason_code. 4. In p2p_disassoc_nofif(), memory allocated in p2p_parse_ies() was not freed in case of NULL minor_reason_code. 5. In p2p_process_go_neg_conf(), memory allocated was not freed in case that the P2P Device interface was not waiting for a GO Negotiation Confirm. 6. In wpa_set_pkcs11_engine_and_module_path(), the wrong pointer was checked. Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
2014-01-28 09:32:35 +02:00 · 2014-01-28 09:32:35 +02:00 · 04c366cb1d
commit 04c366cb1d
parent fd67275b85
5 changed files with 13 additions and 4 deletions
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@ -140,6 +140,7 @@ struct hostapd_config * hostapd_config_defaults(void)

 	bss->radius = os_zalloc(sizeof(*bss->radius));
 	if (bss->radius == NULL) {
+		os_free(conf->bss);
 		os_free(conf);
 		os_free(bss);
 		return NULL;
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@ -3862,8 +3862,10 @@ void p2p_deauth_notif(struct p2p_data *p2p, const u8 *bssid, u16 reason_code,
 	os_memset(&msg, 0, sizeof(msg));
 	if (p2p_parse_ies(ie, ie_len, &msg))
 		return;
-	if (msg.minor_reason_code == NULL)
+	if (msg.minor_reason_code == NULL) {
+		p2p_parse_free(&msg);
 		return;
+	}

 	p2p_dbg(p2p, "Deauthentication notification BSSID " MACSTR
 		" reason_code=%u minor_reason_code=%u",
@ -3884,8 +3886,10 @@ void p2p_disassoc_notif(struct p2p_data *p2p, const u8 *bssid, u16 reason_code,
 	os_memset(&msg, 0, sizeof(msg));
 	if (p2p_parse_ies(ie, ie_len, &msg))
 		return;
-	if (msg.minor_reason_code == NULL)
+	if (msg.minor_reason_code == NULL) {
+		p2p_parse_free(&msg);
 		return;
+	}

 	p2p_dbg(p2p, "Disassociation notification BSSID " MACSTR
 		" reason_code=%u minor_reason_code=%u",
--- a/src/p2p/p2p_go_neg.c
+++ b/src/p2p/p2p_go_neg.c
@ -1136,6 +1136,7 @@ void p2p_process_go_neg_conf(struct p2p_data *p2p, const u8 *sa,

 	if (!(dev->flags & P2P_DEV_WAIT_GO_NEG_CONFIRM)) {
 		p2p_dbg(p2p, "Was not expecting GO Negotiation Confirm - ignore");
+		p2p_parse_free(&msg);
 		return;
 	}
 	dev->flags &= ~P2P_DEV_WAIT_GO_NEG_CONFIRM;
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@ -2912,6 +2912,7 @@ static int wpa_config_process_bgscan(const struct global_parse_data *data,
 {
 	size_t len;
 	char *tmp;
+	int res;

 	tmp = wpa_config_parse_string(pos, &len);
 	if (tmp == NULL) {
@ -2920,7 +2921,9 @@ static int wpa_config_process_bgscan(const struct global_parse_data *data,
 		return -1;
 	}

-	return wpa_global_config_parse_str(data, config, line, tmp);
+	res = wpa_global_config_parse_str(data, config, line, tmp);
+	os_free(tmp);
+	return res;
 }


--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@ -2083,7 +2083,7 @@ int wpas_set_pkcs11_engine_and_module_path(struct wpa_supplicant *wpa_s,
 	}
 	if (pkcs11_module_path != NULL) {
 		pkcs11_module_path_copy = os_strdup(pkcs11_module_path);
-		if (pkcs11_engine_path_copy == NULL) {
+		if (pkcs11_module_path_copy == NULL) {
 			os_free(pkcs11_engine_path_copy);
 			return -1;
 		}